Hi,
I am using the conjur_iam_client for iam role authentication to conjur from an app (api) deployed on AWS ECS fargate environment. I am getting hung up at the metadata url to use. Andrew’s code for EC2 and other instances uses http://169.254.169.254/latest/meta-data/iam/security-credentials/ and recommended to use create_conjur_iam_client_from_env function (known iam role name, access key, secret key etc).
My challenge is I do not know the access key, secret key and the token for the fargate task that is running on a container spun up by ECS.
Here is the error log I believe just saying the endpoint is not working ( I switched the client to use http://169.254.170.2/v2/metadata for metadata endpoint)
23:06:46
INFO: Uvicorn running on http://0.0.0.0:8000 (Press CTRL+C to quit)
23:06:46
INFO: Started reloader process [6]
23:06:51
Process SpawnProcess-1:
23:06:51
Traceback (most recent call last):
23:06:51
File "/usr/local/lib/python3.7/multiprocessing/process.py", line 297, in _bootstrap
23:06:51
self.run()
23:06:51
File "/usr/local/lib/python3.7/multiprocessing/process.py", line 99, in run
23:06:51
self._target(*self._args, **self._kwargs)
23:06:51
File "/usr/local/lib/python3.7/site-packages/uvicorn/supervisors/statreload.py", line 29, in handle_fds
23:06:51
target(**kwargs)
23:06:51
File "/usr/local/lib/python3.7/site-packages/uvicorn/main.py", line 307, in run
23:06:51
loop.run_until_complete(self.serve(sockets=sockets))
23:06:51
File "uvloop/loop.pyx", line 1417, in uvloop.loop.Loop.run_until_complete
23:06:51
File "/usr/local/lib/python3.7/site-packages/uvicorn/main.py", line 314, in serve
23:06:51
config.load()
23:06:51
File "/usr/local/lib/python3.7/site-packages/uvicorn/config.py", line 186, in load
23:06:51
self.loaded_app = import_from_string(self.app)
23:06:51
File "/usr/local/lib/python3.7/site-packages/uvicorn/importer.py", line 20, in import_from_string
23:06:51
module = importlib.import_module(module_str)
23:06:51
File "/usr/local/lib/python3.7/importlib/__init__.py", line 127, in import_module
23:06:51
return _bootstrap._gcd_import(name[level:], package, level)
23:06:51
File "<frozen importlib._bootstrap>", line 1006, in _gcd_import
23:06:51
File "<frozen importlib._bootstrap>", line 983, in _find_and_load
23:06:51
File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked
23:06:51
File "<frozen importlib._bootstrap>", line 677, in _load_unlocked
23:06:51
File "<frozen importlib._bootstrap_external>", line 728, in exec_module
23:06:51
File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
23:06:51
File "/rainmaker-api/main.py", line 9, in <module>
23:06:51
api_token= conjur_iam_auth.conjur_hydra_test.fetchsecrets()
23:06:51
File "/rainmaker-api/conjur_iam_auth.py", line 22, in fetchsecrets
23:06:51
conjur_iam_session_token = conjur_iam_client.get_conjur_iam_session_token(appliance_url,account,service_id,username,cert_file)
23:06:51
File "/usr/local/lib/python3.7/site-packages/conjur_iam_client.py", line 159, in get_conjur_iam_session_token
23:06:51
iam_api_key = create_conjur_iam_api_key(iam_role_name, access_key, secret_key, token)
23:06:51
File "/usr/local/lib/python3.7/site-packages/conjur_iam_client.py", line 101, in create_conjur_iam_api_key
23:06:51
access_key, secret_key, token = get_iam_role_metadata(iam_role_name)
23:06:51
File "/usr/local/lib/python3.7/site-packages/conjur_iam_client.py", line 49, in get_iam_role_metadata
23:06:51
raise IAMRoleNotAvailableException()
23:06:51
conjur_iam_client.IAMRoleNotAvailableException: Most likely the ec2 instance is configured with no or an incorrect iam role
23:06:51
INFO: Stopping reloader process [6]